PhpSpreadsheet prior to 1.30.5 attempted to mitigate a deserialization vulnerability (CVE-2026-34084) by checking stream wrappers using parse_url and rejecting schemes with length greater than one. However, when the input path uses a phar wrapper with three or more slashes (e.g., phar:///path/file.phar/inner), parse_url returns false for the scheme, causing the check to be bypassed. PHP's stream layer still processes the phar wrapper, leading to automatic deserialization of phar metadata on PHP 7.x, invoking magic methods (__wakeup and __destruct) of attacker-controlled objects and enabling full remote code execution. On PHP 8.x, automatic metadata deserialization on file operations was removed, so RCE only occurs if Phar::getMetadata is called downstream. This vulnerability is addressed in PhpSpreadsheet version 1.30.5.

Successful exploitation on PHP 7.x environments can lead to full remote code execution without authentication due to automatic deserialization of attacker-controlled phar metadata. On PHP 8.x, the risk is reduced but still present if the application calls Phar::getMetadata on attacker-controlled files. This vulnerability allows an unauthenticated attacker to execute arbitrary code on the server running vulnerable PhpSpreadsheet versions prior to 1.30.5.

Upgrade PhpSpreadsheet to version 1.30.5 or later, where this vulnerability is fixed. No other official remediation or temporary fix is documented. If upgrading is not immediately possible, avoid loading untrusted files with IOFactory::load and do not allow attacker-controlled input to specify file paths that could include phar wrappers. Patch status is not explicitly confirmed beyond the fixed version; check vendor advisories for updates.